hhhhhhhhhhhhhh

   

Akamai Security Advisory VERSION: 2013-0001-G UPDATE: Jan 11, 2013, 1200 EST Recent Financial Services DDoS Attacks: Ababil Phase II

TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.

Page 2 of 4

Akamai Technologies, Inc. (TLP GREEN)

OVERVIEW  From December 10, 2012 through the week of January 11, 2013, several financial institutions have been targeted by large DDoS attacks. This is the second phase of the Operation Ababil campaign waged by the hacktivist group known as Izz ad-Din al-Qassam Cyber Fighters (QCF for short). Akamai has been actively defending customers against this attack campaign. The BroBot botnet is being leveraged by QCF to launch these attacks. This advisory is intended to provide a summary of what Akamai is able to share as of this writing, including techniques that have worked to mitigate the impacts of the BroBot/QCF Phase II attacks. Information regarding this attack may have changed since the writing of this summary.

ABABIL  CAMPAIGN  HISTORY  Motivation  The QCF claims to be launching these attacks in an effort to have the “Innocence of Muslims” video, considered to contain anti-Islamic rhetoric, removed from YouTube. The http://hilf-ol-fozoul.blogspot.com/ documents apparent snapshots of multiple U. S. banking sites made unavailable by these attacks while implying a QCF quote of “Attacks will be over only if film is removed.” The US Office of the Comptroller of the Currency (OCC) has issued an alert related to these attacks linked here: (http://occ.gov/news-issuances/alerts/2012/alert-2012-16.html). It is interesting to note that OCC maintains the view that there may be criminal motivations for these attacks.

Ababil  Phase  I  (September  –  November  2012)  In September of 2012, U. S. banks started to experience a range of DDoS attacks impacting online application availability. The attacks used various attack techniques to cause site availability and performance disruptions. Attack vectors observed include:

• Volumetric DNS DDoS • Volumetric Layer 3/4 DDoS • Volumetric Layer 5-7 DDoS • SSL resource attacks

As a recipient of some of the first attack traffic during Operation Ababil Phase I, Akamai immediately noticed that the attack patterns were heterogeneous in nature which is very unlike the highly diversified attack traffic seen with other hacktivist attacks. At the same time, Akamai noticed the lack of English-language recruitment—flyers, Facebook, Twitter, Internet relay chat (IRC), and bulletin boards—which is often seen associated with hacktivist-related DDoS attacks. The QCF used the BroBot botnet extensively throughout Operation Ababil Phase I. BroBot consists of compromised Virtual Private Servers (VPS) and cloud servers running vulnerable versions of WordPress and Joomla content management systems (CMS) and related plugins that have been compromised. The effective lethality of BroBot is increased in comparison to other botnets due to a high amount of bandwidth per server (100 Mbps v/s 1Mbps for home users) and a seemingly endless supply of vulnerable servers.

Ababil  Phase  II  (late  December  2012  –  current  writing)  After a pause from the beginning of November through the first 3 weeks of December, the attacks resumed on Christmas day December 10. The QCF have continued to use BroBot and have varied the attacks to evade filtering, primarily through the use of altering query strings, user-agents, and targeted URLs. During Phase II of the campaign, BroBot nodes have been observed sending high volume bursts of traffic (as many as 10,000 requests per minute per node), and have been observed sending as many as 18 million aggregate attack requests per second. These volumetric attacks will burst for a short period of time and then go dormant, sometimes for hours or days, before resuming attacks.

TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.

Page 3 of 4

Akamai Technologies, Inc. (TLP GREEN)

MITIGATION  DETAILS  Some effective mitigation techniques for this attack have included:

• IP Blacklisting - The most recent iteration of this list is available for Akamai customers as part of their security configuration or through the FS-ISAC.

• User-Agent Blacklisting - BroBot has been observed using a handful of User-Agent strings that are unique to them.

• Query String Blacklisting - This technique uses a list of query string argument names that have been observed in use by the attackers. Deploying rules like this in a “negative security” model leads to a measure/counter-measure arms race between the attackers and the defenders.

• IP Rate Controls – Rate controls count the number of requests per IP address and block additional requests when one of a set of thresholds is exceeded.

REFERENCES  &  RELATED  READING  • Qassam Cyber Fighter Pastebin - http://pastebin.com/u/QassamCyberFighters • Hilf-ol-Fozoul (The Global Movement) - http://hilf-ol-fozoul.blogspot.com/ • OCC Alert: http://occ.gov/news-issuances/alerts/2012/alert-2012-16.html • Gartner blog on OCC alert http://blogs.gartner.com/avivah-litan/2012/12/21/bank-regulator-issues-

informative-alert-on-ddos-attacks/ • Interview with CSIRT Director Michael Smith on his thoughts and theories behind the DDoS attacks being the

first signs of fraud http://www.bankinfosecurity.com/interviews/ddos-attacks-first-signs-fraud-i-1705 • Traffic Light Protocol: http://www.us-cert.gov/tlp/ • Prolexic Advisory on itsoknoproblembro - http://www.prolexic.com/knowledge-center-ddos-threat-

advisory-itsok/pr.html

CONTACTS  Existing customers that desire additional information can contact Akamai directly through CCare at 1-877-4-AKATEC (US And Canada) or 617-444-4699 (International), their Engagement Manager, or their account team. Non-customers can submit inquiries through Akamai’s hotline at 1.877.425.2624, the contact form on our website at http://www.akamai.com/html/forms/sales_form.html , the chat function on our website at http://www.akamai.com/ or on twitter @akamai .

 

TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.

Page 4 of 4

Akamai Technologies, Inc. (TLP GREEN)

Akamai®  is  the  leading  cloud  platform  for  helping  enterprises  provide  secure,  high-­‐performing  user  experiences  on  any  device,  anywhere.    At  the  core  of  the  Company’s  solutions  is  the  Akamai  Intelligent  Platform™  providing  extensive  reach,  coupled  with  unmatched  reliability,  security,  visibility  and  expertise.  Akamai  removes  the  complexities  of  connecting  the  increasingly  mobile  world,  supporting  24/7  consumer  demand,  and  enabling  enterprises  to  securely  leverage  the  cloud.  To  learn  more  about  how  Akamai  is  accelerating  the  pace  of  innovation    in  a  hyperconnected  world,  please  visit  www.akamai.com  and  follow  @Akamai  on  Twitter.  

Akamai Technologies, Inc.

International Offices Unterfoehring, Germany Paris, France Milan, Italy London, England Madrid, Spain Stockholm, Sweden

U.S. Headquarters 8 Cambridge Center Cambridge, MA 02142 Tel 617.444.3000 Fax 617.444.3001 U.S. toll-free 877.4AKAMAI 877.425.2624

www.akamai.com

Bangalore, India Sydney, Australia Beijing, China Tokyo, Japan Seoul, Korea Singapore

©2013 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice.

The Akamai Difference